Recently, The White House launched its own official app on iOS and Android, claiming that it gives users “unparalleled access to the Trump Administration”. After it launched, many tore it apart for the permissions it was asking for. Now, a security researcher pulled the APK and tore it apart to see what’s really going on.
The app is a React Native build using Expo SDK 54, with WordPress powering the backend through a custom REST API. That’s pretty normal, as nearly 42% of all websites on the internet are powered by WordPress.
But that’s just the start; now the nightmare begins. To start, the app has a full GPS tracking pipeline compiled in. Essentially, it’s set to poll your location every 4.5 minutes in the foreground, and 9.5 minutes in the background. It’s syncing latitude, longitude, accuracy, and timestamp data to OneSignal’s servers. These location permissions aren’t declared in the AndroidManifest, but they are hardcoded as runtime requests in the OneSignal SDK. Some have noted that the tracking only kicks in if the developer enables it server-side and the user grants permission, but it is there, ready to go.
The app is loading from a random person’s GitHub page
And it gets even stranger. Apparently, the app is loading JavaScript from a random person’s GitHub site for YouTube embeds. Yes, you read that right, it’s just loading JavaScript from a random GitHub site. So if that account ever gets compromised, arbitrary code could run inside the app’s WebView.
There’s also no SSL certificate pinning, meaning that traffic can potentially be intercepted on compromised networks like sketchy public WiFi or corporate proxies.
The app also injects JavaScript and CSS into every page you visit in the in-app browser. This strips away cookie consent dialogs, GDPR banners, login walls, and paywalls. There’s also leftover dev artifacts in the production build, including a localhost URL to the Metro bundler.
To put it plainly, this app is a security nightmare, and no one should have installed it, no matter what your political beliefs are.
The post A Security Researcher Decompiled The White House App, & What They Found Is Pretty Alarming appeared first on Android Headlines.
